Error replace nat - old nat don't delete before create new #999

NekoYos · 2023-10-30T15:18:24Z

Description

Error replace nat.
If change variable in vpc, for example - add new subnet:

    subnets = [ 
      {cidr = "10.1.11.0/24", name = "test-public-subnet-01",  public = true },
      {cidr = "10.1.1.0/24",  name = "test-private-subnet-01", public = false},
      {cidr = "10.1.2.0/24",  name = "test-private-subnet-02", public = false}
     ]

old variable:

    subnets = [ 
      {cidr = "10.1.11.0/24", name = "test-public-subnet-01",  public = true },
      {cidr = "10.1.1.0/24",  name = "test-private-subnet-01", public = false}
     ]

in plan replaced nat (why?):

  # module.vpc["test-vpc"].aws_nat_gateway.this[0] must be replaced
+/- resource "aws_nat_gateway" "this" {
      ~ allocation_id                      = "eipalloc-032fbdcc109bc94ec" # forces replacement -> (known after apply) # forces replacement
      ~ association_id                     = "eipassoc-086ed081f8a23b6b9" -> (known after apply)
      ~ id                                 = "nat-0590a6b4080c7c243" -> (known after apply)
      ~ network_interface_id               = "eni-0464130918ff1b96e" -> (known after apply)
      ~ private_ip                         = "10.1.11.197" -> (known after apply)
      ~ public_ip                          = "18.158.97.229" -> (known after apply)
      - secondary_allocation_ids           = [] -> null
      ~ secondary_private_ip_address_count = 0 -> (known after apply)
      ~ secondary_private_ip_addresses     = [] -> (known after apply)
        tags                               = {
            "Name"      = "test-vpc-eu-central-1a"
            "Terraform" = "true"
        }
        # (3 unchanged attributes hidden)
    }

error:

│ Error: waiting for EC2 NAT Gateway (nat-0712140e39ce85037) create: unexpected state 'failed', wanted target 'available'. last error: Resource.AlreadyAssociated: Elastic IP address [eipalloc-032fbdcc109bc94ec] is already associated
│
│   with module.vpc["test-vpc"].aws_nat_gateway.this[0],
│   on .terraform/modules/vpc/main.tf line 1059, in resource "aws_nat_gateway" "this":
│ 1059: resource "aws_nat_gateway" "this" {

In web i see my first nat:
test-vpc-eu-central-1a
nat-0590a6b4080c7c243
State: Available

And new nat:
test-vpc-eu-central-1a
nat-0712140e39ce85037
State: Failed
State message: Elastic IP address [eipalloc-032fbdcc109bc94ec] is already associated

Terraform do not delete nat before create new. If i manualy delete nat, then terraform apply is successful

Versions

Module version [Required]: 5.1.2

Terraform v1.6.2
provider registry.terraform.io/hashicorp/aws v5.21.0
provider registry.terraform.io/hashicorp/random v3.5.1

Reproduction Code [Required]

Variables:

vpc_list = [
  {
    name    = "test-vpc"
    cidr    = "10.1.0.0/16"
    azs     = ["eu-central-1a", "eu-central-1b", "eu-central-1c"]
    subnets = [ 
      {cidr = "10.1.11.0/24", name = "test-public-subnet-01",  public = true },
      {cidr = "10.1.1.0/24",  name = "test-private-subnet-01", public = false}
     ]
    enable_nat_gateway     = true
    single_nat_gateway     = false
    one_nat_gateway_per_az = false
    enable_vpn_gateway     = false
  }
]

Module:

module "vpc" {
  source  = "terraform-aws-modules/vpc/aws"
  version = "5.1.2"

  for_each = {for vpc in var.vpc_list : vpc.name => vpc}

  name                 = each.value.name
  cidr                 = each.value.cidr
  azs                  = each.value.azs

  public_subnets       = coalesce([ for subnet in each.value.subnets : subnet.cidr if subnet.public ], [])
  public_subnet_names  = coalesce([ for subnet in each.value.subnets : subnet.name if subnet.public ], [])
  
  private_subnets      = coalesce([ for subnet in each.value.subnets : subnet.cidr if !subnet.public ], [])
  private_subnet_names = coalesce([ for subnet in each.value.subnets : subnet.name if !subnet.public ], [])

  enable_nat_gateway     = each.value.enable_nat_gateway
  single_nat_gateway     = each.value.single_nat_gateway
  one_nat_gateway_per_az = each.value.one_nat_gateway_per_az
  
  enable_vpn_gateway     = each.value.enable_vpn_gateway

  tags = {
    Terraform = "true"
  }
  
  manage_default_security_group = false

}

Terminal Output Screenshot(s)

$ terraform apply
module.s3_bucket["jigoku-tf"].data.aws_region.current: Reading...
module.s3_bucket["jigoku-tf"].data.aws_partition.current: Reading...
module.s3_bucket["jigoku-tf"].data.aws_caller_identity.current: Reading...
module.s3_bucket["jigoku-tf"].data.aws_region.current: Read complete after 0s [id=eu-central-1]
module.s3_bucket["jigoku-tf"].aws_s3_bucket.this[0]: Refreshing state... [id=jigoku-tf]
module.s3_bucket["jigoku-tf"].data.aws_partition.current: Read complete after 0s [id=aws]
module.s3_bucket["jigoku-tf"].data.aws_caller_identity.current: Read complete after 1s [id=529907749740]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.dynamodb_table["jigoku-tf-state"].aws_dynamodb_table.this[0] will be created
  + resource "aws_dynamodb_table" "this" {
      + arn              = (known after apply)
      + billing_mode     = "PAY_PER_REQUEST"
      + hash_key         = "LockID"
      + id               = (known after apply)
      + name             = "jigoku-tf-state"
      + read_capacity    = (known after apply)
      + stream_arn       = (known after apply)
      + stream_enabled   = false
      + stream_label     = (known after apply)
      + stream_view_type = (known after apply)
      + tags             = {
          + "Name"      = "jigoku-tf-state"
          + "Terraform" = "true"
        }
      + tags_all         = {
          + "Name"      = "jigoku-tf-state"
          + "Terraform" = "true"
        }
      + write_capacity   = (known after apply)

      + attribute {
          + name = "LockID"
          + type = "S"
        }

      + point_in_time_recovery {
          + enabled = false
        }

      + server_side_encryption {
          + enabled     = false
          + kms_key_arn = (known after apply)
        }

      + timeouts {
          + create = "10m"
          + delete = "10m"
          + update = "60m"
        }

      + ttl {
          + enabled = false
        }
    }

  # module.s3_bucket["jigoku-tf"].aws_s3_bucket_public_access_block.this[0] will be created
  + resource "aws_s3_bucket_public_access_block" "this" {
      + block_public_acls       = true
      + block_public_policy     = true
      + bucket                  = "jigoku-tf"
      + id                      = (known after apply)
      + ignore_public_acls      = true
      + restrict_public_buckets = true
    }

  # module.s3_bucket["jigoku-tf"].aws_s3_bucket_server_side_encryption_configuration.this[0] will be created
  + resource "aws_s3_bucket_server_side_encryption_configuration" "this" {
      + bucket = "jigoku-tf"
      + id     = (known after apply)

      + rule {
          + bucket_key_enabled = true

          + apply_server_side_encryption_by_default {
              + sse_algorithm = "AES256"
            }
        }
    }

  # module.s3_bucket["jigoku-tf"].aws_s3_bucket_versioning.this[0] will be created
  + resource "aws_s3_bucket_versioning" "this" {
      + bucket = "jigoku-tf"
      + id     = (known after apply)

      + versioning_configuration {
          + mfa_delete = (known after apply)
          + status     = "Enabled"
        }
    }

  # module.vpc["test-vpc"].aws_default_network_acl.this[0] will be created
  + resource "aws_default_network_acl" "this" {
      + arn                    = (known after apply)
      + default_network_acl_id = (known after apply)
      + id                     = (known after apply)
      + owner_id               = (known after apply)
      + tags                   = {
          + "Name"      = "test-vpc-default"
          + "Terraform" = "true"
        }
      + tags_all               = {
          + "Name"      = "test-vpc-default"
          + "Terraform" = "true"
        }
      + vpc_id                 = (known after apply)

      + egress {
          + action          = "allow"
          + from_port       = 0
          + ipv6_cidr_block = "::/0"
          + protocol        = "-1"
          + rule_no         = 101
          + to_port         = 0
        }
      + egress {
          + action     = "allow"
          + cidr_block = "0.0.0.0/0"
          + from_port  = 0
          + protocol   = "-1"
          + rule_no    = 100
          + to_port    = 0
        }

      + ingress {
          + action          = "allow"
          + from_port       = 0
          + ipv6_cidr_block = "::/0"
          + protocol        = "-1"
          + rule_no         = 101
          + to_port         = 0
        }
      + ingress {
          + action     = "allow"
          + cidr_block = "0.0.0.0/0"
          + from_port  = 0
          + protocol   = "-1"
          + rule_no    = 100
          + to_port    = 0
        }
    }

  # module.vpc["test-vpc"].aws_default_route_table.default[0] will be created
  + resource "aws_default_route_table" "default" {
      + arn                    = (known after apply)
      + default_route_table_id = (known after apply)
      + id                     = (known after apply)
      + owner_id               = (known after apply)
      + route                  = (known after apply)
      + tags                   = {
          + "Name"      = "test-vpc-default"
          + "Terraform" = "true"
        }
      + tags_all               = {
          + "Name"      = "test-vpc-default"
          + "Terraform" = "true"
        }
      + vpc_id                 = (known after apply)

      + timeouts {
          + create = "5m"
          + update = "5m"
        }
    }

  # module.vpc["test-vpc"].aws_eip.nat[0] will be created
  + resource "aws_eip" "nat" {
      + allocation_id        = (known after apply)
      + association_id       = (known after apply)
      + carrier_ip           = (known after apply)
      + customer_owned_ip    = (known after apply)
      + domain               = "vpc"
      + id                   = (known after apply)
      + instance             = (known after apply)
      + network_border_group = (known after apply)
      + network_interface    = (known after apply)
      + private_dns          = (known after apply)
      + private_ip           = (known after apply)
      + public_dns           = (known after apply)
      + public_ip            = (known after apply)
      + public_ipv4_pool     = (known after apply)
      + tags                 = {
          + "Name"      = "test-vpc-eu-central-1a"
          + "Terraform" = "true"
        }
      + tags_all             = {
          + "Name"      = "test-vpc-eu-central-1a"
          + "Terraform" = "true"
        }
      + vpc                  = (known after apply)
    }

  # module.vpc["test-vpc"].aws_internet_gateway.this[0] will be created
  + resource "aws_internet_gateway" "this" {
      + arn      = (known after apply)
      + id       = (known after apply)
      + owner_id = (known after apply)
      + tags     = {
          + "Name"      = "test-vpc"
          + "Terraform" = "true"
        }
      + tags_all = {
          + "Name"      = "test-vpc"
          + "Terraform" = "true"
        }
      + vpc_id   = (known after apply)
    }

  # module.vpc["test-vpc"].aws_nat_gateway.this[0] will be created
  + resource "aws_nat_gateway" "this" {
      + allocation_id                      = (known after apply)
      + association_id                     = (known after apply)
      + connectivity_type                  = "public"
      + id                                 = (known after apply)
      + network_interface_id               = (known after apply)
      + private_ip                         = (known after apply)
      + public_ip                          = (known after apply)
      + secondary_private_ip_address_count = (known after apply)
      + secondary_private_ip_addresses     = (known after apply)
      + subnet_id                          = (known after apply)
      + tags                               = {
          + "Name"      = "test-vpc-eu-central-1a"
          + "Terraform" = "true"
        }
      + tags_all                           = {
          + "Name"      = "test-vpc-eu-central-1a"
          + "Terraform" = "true"
        }
    }

  # module.vpc["test-vpc"].aws_route.private_nat_gateway[0] will be created
  + resource "aws_route" "private_nat_gateway" {
      + destination_cidr_block = "0.0.0.0/0"
      + id                     = (known after apply)
      + instance_id            = (known after apply)
      + instance_owner_id      = (known after apply)
      + nat_gateway_id         = (known after apply)
      + network_interface_id   = (known after apply)
      + origin                 = (known after apply)
      + route_table_id         = (known after apply)
      + state                  = (known after apply)

      + timeouts {
          + create = "5m"
        }
    }

  # module.vpc["test-vpc"].aws_route.public_internet_gateway[0] will be created
  + resource "aws_route" "public_internet_gateway" {
      + destination_cidr_block = "0.0.0.0/0"
      + gateway_id             = (known after apply)
      + id                     = (known after apply)
      + instance_id            = (known after apply)
      + instance_owner_id      = (known after apply)
      + network_interface_id   = (known after apply)
      + origin                 = (known after apply)
      + route_table_id         = (known after apply)
      + state                  = (known after apply)

      + timeouts {
          + create = "5m"
        }
    }

  # module.vpc["test-vpc"].aws_route_table.private[0] will be created
  + resource "aws_route_table" "private" {
      + arn              = (known after apply)
      + id               = (known after apply)
      + owner_id         = (known after apply)
      + propagating_vgws = (known after apply)
      + route            = (known after apply)
      + tags             = {
          + "Name"      = "test-vpc-private-eu-central-1a"
          + "Terraform" = "true"
        }
      + tags_all         = {
          + "Name"      = "test-vpc-private-eu-central-1a"
          + "Terraform" = "true"
        }
      + vpc_id           = (known after apply)
    }

  # module.vpc["test-vpc"].aws_route_table.public[0] will be created
  + resource "aws_route_table" "public" {
      + arn              = (known after apply)
      + id               = (known after apply)
      + owner_id         = (known after apply)
      + propagating_vgws = (known after apply)
      + route            = (known after apply)
      + tags             = {
          + "Name"      = "test-vpc-public"
          + "Terraform" = "true"
        }
      + tags_all         = {
          + "Name"      = "test-vpc-public"
          + "Terraform" = "true"
        }
      + vpc_id           = (known after apply)
    }

  # module.vpc["test-vpc"].aws_route_table_association.private[0] will be created
  + resource "aws_route_table_association" "private" {
      + id             = (known after apply)
      + route_table_id = (known after apply)
      + subnet_id      = (known after apply)
    }

  # module.vpc["test-vpc"].aws_route_table_association.public[0] will be created
  + resource "aws_route_table_association" "public" {
      + id             = (known after apply)
      + route_table_id = (known after apply)
      + subnet_id      = (known after apply)
    }

  # module.vpc["test-vpc"].aws_subnet.private[0] will be created
  + resource "aws_subnet" "private" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "eu-central-1a"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "10.1.1.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Name"      = "test-private-subnet-01"
          + "Terraform" = "true"
        }
      + tags_all                                       = {
          + "Name"      = "test-private-subnet-01"
          + "Terraform" = "true"
        }
      + vpc_id                                         = (known after apply)
    }

  # module.vpc["test-vpc"].aws_subnet.public[0] will be created
  + resource "aws_subnet" "public" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "eu-central-1a"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "10.1.11.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Name"      = "test-public-subnet-01"
          + "Terraform" = "true"
        }
      + tags_all                                       = {
          + "Name"      = "test-public-subnet-01"
          + "Terraform" = "true"
        }
      + vpc_id                                         = (known after apply)
    }

  # module.vpc["test-vpc"].aws_vpc.this[0] will be created
  + resource "aws_vpc" "this" {
      + arn                                  = (known after apply)
      + cidr_block                           = "10.1.0.0/16"
      + default_network_acl_id               = (known after apply)
      + default_route_table_id               = (known after apply)
      + default_security_group_id            = (known after apply)
      + dhcp_options_id                      = (known after apply)
      + enable_dns_hostnames                 = true
      + enable_dns_support                   = true
      + enable_network_address_usage_metrics = (known after apply)
      + id                                   = (known after apply)
      + instance_tenancy                     = "default"
      + ipv6_association_id                  = (known after apply)
      + ipv6_cidr_block                      = (known after apply)
      + ipv6_cidr_block_network_border_group = (known after apply)
      + main_route_table_id                  = (known after apply)
      + owner_id                             = (known after apply)
      + tags                                 = {
          + "Name"      = "test-vpc"
          + "Terraform" = "true"
        }
      + tags_all                             = {
          + "Name"      = "test-vpc"
          + "Terraform" = "true"
        }
    }

Plan: 18 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.s3_bucket["jigoku-tf"].aws_s3_bucket_public_access_block.this[0]: Creating...
module.s3_bucket["jigoku-tf"].aws_s3_bucket_versioning.this[0]: Creating...
module.s3_bucket["jigoku-tf"].aws_s3_bucket_server_side_encryption_configuration.this[0]: Creating...
module.vpc["test-vpc"].aws_vpc.this[0]: Creating...
module.dynamodb_table["jigoku-tf-state"].aws_dynamodb_table.this[0]: Creating...
module.s3_bucket["jigoku-tf"].aws_s3_bucket_public_access_block.this[0]: Creation complete after 0s [id=jigoku-tf]
module.s3_bucket["jigoku-tf"].aws_s3_bucket_server_side_encryption_configuration.this[0]: Creation complete after 1s [id=jigoku-tf]
module.s3_bucket["jigoku-tf"].aws_s3_bucket_versioning.this[0]: Creation complete after 1s [id=jigoku-tf]
module.dynamodb_table["jigoku-tf-state"].aws_dynamodb_table.this[0]: Creation complete after 6s [id=jigoku-tf-state]
module.vpc["test-vpc"].aws_vpc.this[0]: Still creating... [10s elapsed]
module.vpc["test-vpc"].aws_vpc.this[0]: Creation complete after 11s [id=vpc-0522fea13508f68ae]
module.vpc["test-vpc"].aws_route_table.public[0]: Creating...
module.vpc["test-vpc"].aws_subnet.private[0]: Creating...
module.vpc["test-vpc"].aws_internet_gateway.this[0]: Creating...
module.vpc["test-vpc"].aws_subnet.public[0]: Creating...
module.vpc["test-vpc"].aws_route_table.private[0]: Creating...
module.vpc["test-vpc"].aws_default_route_table.default[0]: Creating...
module.vpc["test-vpc"].aws_default_network_acl.this[0]: Creating...
module.vpc["test-vpc"].aws_default_route_table.default[0]: Creation complete after 1s [id=rtb-083265766ac81fa9f]
module.vpc["test-vpc"].aws_internet_gateway.this[0]: Creation complete after 1s [id=igw-0b9fe2411086794e0]
module.vpc["test-vpc"].aws_eip.nat[0]: Creating...
module.vpc["test-vpc"].aws_route_table.public[0]: Creation complete after 1s [id=rtb-077134a4d69846d40]
module.vpc["test-vpc"].aws_route.public_internet_gateway[0]: Creating...
module.vpc["test-vpc"].aws_route_table.private[0]: Creation complete after 1s [id=rtb-008e597a365d69bba]
module.vpc["test-vpc"].aws_subnet.private[0]: Creation complete after 1s [id=subnet-00050c2585cc41980]
module.vpc["test-vpc"].aws_subnet.public[0]: Creation complete after 1s [id=subnet-0710810d736160a40]
module.vpc["test-vpc"].aws_route_table_association.private[0]: Creating...
module.vpc["test-vpc"].aws_route_table_association.public[0]: Creating...
module.vpc["test-vpc"].aws_route_table_association.private[0]: Creation complete after 0s [id=rtbassoc-0d2433d5f25bcfeb7]
module.vpc["test-vpc"].aws_route_table_association.public[0]: Creation complete after 0s [id=rtbassoc-0ac4a17869b4b9d4d]
module.vpc["test-vpc"].aws_eip.nat[0]: Creation complete after 0s [id=eipalloc-032fbdcc109bc94ec]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Creating...
module.vpc["test-vpc"].aws_route.public_internet_gateway[0]: Creation complete after 0s [id=r-rtb-077134a4d69846d401080289494]
module.vpc["test-vpc"].aws_default_network_acl.this[0]: Creation complete after 1s [id=acl-0064ef30cbb4895cc]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [10s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [20s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [30s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [40s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [50s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [1m0s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [1m10s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [1m20s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [1m30s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [1m40s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [1m50s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Creation complete after 1m55s [id=nat-0590a6b4080c7c243]
module.vpc["test-vpc"].aws_route.private_nat_gateway[0]: Creating...
module.vpc["test-vpc"].aws_route.private_nat_gateway[0]: Creation complete after 0s [id=r-rtb-008e597a365d69bba1080289494]

Apply complete! Resources: 18 added, 0 changed, 0 destroyed.

After add new subnet:

$ terraform apply
module.s3_bucket["jigoku-tf"].data.aws_caller_identity.current: Reading...
module.s3_bucket["jigoku-tf"].data.aws_partition.current: Reading...
module.s3_bucket["jigoku-tf"].data.aws_region.current: Reading...
module.s3_bucket["jigoku-tf"].data.aws_partition.current: Read complete after 0s [id=aws]
module.s3_bucket["jigoku-tf"].data.aws_region.current: Read complete after 0s [id=eu-central-1]
module.vpc["test-vpc"].aws_vpc.this[0]: Refreshing state... [id=vpc-0522fea13508f68ae]
module.s3_bucket["jigoku-tf"].aws_s3_bucket.this[0]: Refreshing state... [id=jigoku-tf]
module.dynamodb_table["jigoku-tf-state"].aws_dynamodb_table.this[0]: Refreshing state... [id=jigoku-tf-state]
module.s3_bucket["jigoku-tf"].data.aws_caller_identity.current: Read complete after 1s [id=529907749740]
module.vpc["test-vpc"].aws_route_table.public[0]: Refreshing state... [id=rtb-077134a4d69846d40]
module.vpc["test-vpc"].aws_subnet.public[0]: Refreshing state... [id=subnet-0710810d736160a40]
module.vpc["test-vpc"].aws_default_route_table.default[0]: Refreshing state... [id=rtb-083265766ac81fa9f]
module.vpc["test-vpc"].aws_route_table.private[0]: Refreshing state... [id=rtb-008e597a365d69bba]
module.vpc["test-vpc"].aws_default_network_acl.this[0]: Refreshing state... [id=acl-0064ef30cbb4895cc]
module.vpc["test-vpc"].aws_internet_gateway.this[0]: Refreshing state... [id=igw-0b9fe2411086794e0]
module.vpc["test-vpc"].aws_subnet.private[0]: Refreshing state... [id=subnet-00050c2585cc41980]
module.vpc["test-vpc"].aws_route.public_internet_gateway[0]: Refreshing state... [id=r-rtb-077134a4d69846d401080289494]
module.vpc["test-vpc"].aws_eip.nat[0]: Refreshing state... [id=eipalloc-032fbdcc109bc94ec]
module.vpc["test-vpc"].aws_route_table_association.public[0]: Refreshing state... [id=rtbassoc-0ac4a17869b4b9d4d]
module.vpc["test-vpc"].aws_route_table_association.private[0]: Refreshing state... [id=rtbassoc-0d2433d5f25bcfeb7]
module.s3_bucket["jigoku-tf"].aws_s3_bucket_versioning.this[0]: Refreshing state... [id=jigoku-tf]
module.s3_bucket["jigoku-tf"].aws_s3_bucket_public_access_block.this[0]: Refreshing state... [id=jigoku-tf]
module.s3_bucket["jigoku-tf"].aws_s3_bucket_server_side_encryption_configuration.this[0]: Refreshing state... [id=jigoku-tf]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Refreshing state... [id=nat-0590a6b4080c7c243]
module.vpc["test-vpc"].aws_route.private_nat_gateway[0]: Refreshing state... [id=r-rtb-008e597a365d69bba1080289494]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place
+/- create replacement and then destroy

Terraform will perform the following actions:

  # module.vpc["test-vpc"].aws_eip.nat[1] will be created
  + resource "aws_eip" "nat" {
      + allocation_id        = (known after apply)
      + association_id       = (known after apply)
      + carrier_ip           = (known after apply)
      + customer_owned_ip    = (known after apply)
      + domain               = "vpc"
      + id                   = (known after apply)
      + instance             = (known after apply)
      + network_border_group = (known after apply)
      + network_interface    = (known after apply)
      + private_dns          = (known after apply)
      + private_ip           = (known after apply)
      + public_dns           = (known after apply)
      + public_ip            = (known after apply)
      + public_ipv4_pool     = (known after apply)
      + tags                 = {
          + "Name"      = "test-vpc-eu-central-1b"
          + "Terraform" = "true"
        }
      + tags_all             = {
          + "Name"      = "test-vpc-eu-central-1b"
          + "Terraform" = "true"
        }
      + vpc                  = (known after apply)
    }

  # module.vpc["test-vpc"].aws_nat_gateway.this[0] must be replaced
+/- resource "aws_nat_gateway" "this" {
      ~ allocation_id                      = "eipalloc-032fbdcc109bc94ec" # forces replacement -> (known after apply) # forces replacement
      ~ association_id                     = "eipassoc-086ed081f8a23b6b9" -> (known after apply)
      ~ id                                 = "nat-0590a6b4080c7c243" -> (known after apply)
      ~ network_interface_id               = "eni-0464130918ff1b96e" -> (known after apply)
      ~ private_ip                         = "10.1.11.197" -> (known after apply)
      ~ public_ip                          = "18.158.97.229" -> (known after apply)
      - secondary_allocation_ids           = [] -> null
      ~ secondary_private_ip_address_count = 0 -> (known after apply)
      ~ secondary_private_ip_addresses     = [] -> (known after apply)
        tags                               = {
            "Name"      = "test-vpc-eu-central-1a"
            "Terraform" = "true"
        }
        # (3 unchanged attributes hidden)
    }

  # module.vpc["test-vpc"].aws_nat_gateway.this[1] will be created
  + resource "aws_nat_gateway" "this" {
      + allocation_id                      = (known after apply)
      + association_id                     = (known after apply)
      + connectivity_type                  = "public"
      + id                                 = (known after apply)
      + network_interface_id               = (known after apply)
      + private_ip                         = (known after apply)
      + public_ip                          = (known after apply)
      + secondary_private_ip_address_count = (known after apply)
      + secondary_private_ip_addresses     = (known after apply)
      + subnet_id                          = "subnet-0710810d736160a40"
      + tags                               = {
          + "Name"      = "test-vpc-eu-central-1b"
          + "Terraform" = "true"
        }
      + tags_all                           = {
          + "Name"      = "test-vpc-eu-central-1b"
          + "Terraform" = "true"
        }
    }

  # module.vpc["test-vpc"].aws_route.private_nat_gateway[0] will be updated in-place
  ~ resource "aws_route" "private_nat_gateway" {
        id                     = "r-rtb-008e597a365d69bba1080289494"
      ~ nat_gateway_id         = "nat-0590a6b4080c7c243" -> (known after apply)
        # (4 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

  # module.vpc["test-vpc"].aws_route.private_nat_gateway[1] will be created
  + resource "aws_route" "private_nat_gateway" {
      + destination_cidr_block = "0.0.0.0/0"
      + id                     = (known after apply)
      + instance_id            = (known after apply)
      + instance_owner_id      = (known after apply)
      + nat_gateway_id         = (known after apply)
      + network_interface_id   = (known after apply)
      + origin                 = (known after apply)
      + route_table_id         = (known after apply)
      + state                  = (known after apply)

      + timeouts {
          + create = "5m"
        }
    }

  # module.vpc["test-vpc"].aws_route_table.private[1] will be created
  + resource "aws_route_table" "private" {
      + arn              = (known after apply)
      + id               = (known after apply)
      + owner_id         = (known after apply)
      + propagating_vgws = (known after apply)
      + route            = (known after apply)
      + tags             = {
          + "Name"      = "test-vpc-private-eu-central-1b"
          + "Terraform" = "true"
        }
      + tags_all         = {
          + "Name"      = "test-vpc-private-eu-central-1b"
          + "Terraform" = "true"
        }
      + vpc_id           = "vpc-0522fea13508f68ae"
    }

  # module.vpc["test-vpc"].aws_route_table_association.private[1] will be created
  + resource "aws_route_table_association" "private" {
      + id             = (known after apply)
      + route_table_id = (known after apply)
      + subnet_id      = (known after apply)
    }

  # module.vpc["test-vpc"].aws_subnet.private[1] will be created
  + resource "aws_subnet" "private" {
      + arn                                            = (known after apply)
      + assign_ipv6_address_on_creation                = false
      + availability_zone                              = "eu-central-1b"
      + availability_zone_id                           = (known after apply)
      + cidr_block                                     = "10.1.2.0/24"
      + enable_dns64                                   = false
      + enable_resource_name_dns_a_record_on_launch    = false
      + enable_resource_name_dns_aaaa_record_on_launch = false
      + id                                             = (known after apply)
      + ipv6_cidr_block_association_id                 = (known after apply)
      + ipv6_native                                    = false
      + map_public_ip_on_launch                        = false
      + owner_id                                       = (known after apply)
      + private_dns_hostname_type_on_launch            = (known after apply)
      + tags                                           = {
          + "Name"      = "test-private-subnet-02"
          + "Terraform" = "true"
        }
      + tags_all                                       = {
          + "Name"      = "test-private-subnet-02"
          + "Terraform" = "true"
        }
      + vpc_id                                         = "vpc-0522fea13508f68ae"
    }

Plan: 7 to add, 1 to change, 1 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.vpc["test-vpc"].aws_eip.nat[1]: Creating...
module.vpc["test-vpc"].aws_route_table.private[1]: Creating...
module.vpc["test-vpc"].aws_subnet.private[1]: Creating...
module.vpc["test-vpc"].aws_eip.nat[1]: Creation complete after 1s [id=eipalloc-02d4bbb3fb6072be4]
module.vpc["test-vpc"].aws_subnet.private[1]: Creation complete after 1s [id=subnet-0589fc3e71b4c72a8]
module.vpc["test-vpc"].aws_nat_gateway.this[1]: Creating...
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Creating...
module.vpc["test-vpc"].aws_route_table.private[1]: Creation complete after 1s [id=rtb-0ed738830b43059c3]
module.vpc["test-vpc"].aws_route_table_association.private[1]: Creating...
module.vpc["test-vpc"].aws_route_table_association.private[1]: Creation complete after 0s [id=rtbassoc-02438ce63e7e81729]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [10s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[1]: Still creating... [10s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [20s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[1]: Still creating... [20s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [30s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[1]: Still creating... [30s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[1]: Still creating... [40s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [40s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [50s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[1]: Still creating... [50s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[1]: Still creating... [1m0s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [1m0s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[1]: Still creating... [1m10s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [1m10s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [1m20s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[1]: Still creating... [1m20s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[1]: Creation complete after 1m24s [id=nat-008c17abb6bd54105]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [1m30s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [1m40s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [1m50s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [2m0s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [2m10s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [2m20s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [2m30s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [2m40s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [2m50s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [3m0s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [3m10s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [3m20s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [3m30s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [3m40s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [3m50s elapsed]
module.vpc["test-vpc"].aws_nat_gateway.this[0]: Still creating... [4m0s elapsed]
╷
│ Error: waiting for EC2 NAT Gateway (nat-0712140e39ce85037) create: unexpected state 'failed', wanted target 'available'. last error: Resource.AlreadyAssociated: Elastic IP address [eipalloc-032fbdcc109bc94ec] is already associated
│
│   with module.vpc["test-vpc"].aws_nat_gateway.this[0],
│   on .terraform/modules/vpc/main.tf line 1059, in resource "aws_nat_gateway" "this":
│ 1059: resource "aws_nat_gateway" "this" {
│
╵

The text was updated successfully, but these errors were encountered:

ilmarivacklinsc · 2023-11-29T11:32:54Z

We're encountering this as well when trying to increase our resilience by upgrading from one NAT Gateway to one in each AZ. Just changing from single_nat_gateway to one_nat_gateway_per_az recreates the existing NAT Gateway, meaning that there will be some downtime. The Terraform diff doesn't make it clear whether the EIP of the existing gateway changes or not either.

github-actions · 2023-12-30T00:05:17Z

This issue has been automatically marked as stale because it has been open 30 days
with no activity. Remove stale label or comment or this issue will be closed in 10 days

github-actions · 2024-01-09T00:05:54Z

This issue was automatically closed because of stale in 10 days

github-actions · 2024-02-08T02:00:34Z

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

github-actions bot added the stale label Dec 30, 2023

github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Jan 9, 2024

github-actions bot locked as resolved and limited conversation to collaborators Feb 8, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Error replace nat - old nat don't delete before create new #999

Error replace nat - old nat don't delete before create new #999

NekoYos commented Oct 30, 2023

ilmarivacklinsc commented Nov 29, 2023

github-actions bot commented Dec 30, 2023

github-actions bot commented Jan 9, 2024

github-actions bot commented Feb 8, 2024

Error replace nat - old nat don't delete before create new #999

Error replace nat - old nat don't delete before create new #999

Comments

NekoYos commented Oct 30, 2023

Description

Versions

Reproduction Code [Required]

Terminal Output Screenshot(s)

ilmarivacklinsc commented Nov 29, 2023

github-actions bot commented Dec 30, 2023

github-actions bot commented Jan 9, 2024

github-actions bot commented Feb 8, 2024